Load balanced environment

Tue Sep 4 04:11:56 EDT 2012

On Monday, 13 August 2012 15:51:23 UTC+2, GADSDON Paul  wrote:
> Hi Folks
> 
> 
> 
> I was wondering if anyone could help with the configuration of kerberos in an apache load balanced environment
> 
> 
> 
> We have an external apache http gateway in the DMZ and an Apache load balancer in the Back Office.  The gateway is set up to proxypass requests for an internal address to the http gateway in the DMZ. So if a user goes to http://ourapacheserverinthedmz.com/us they will be proxypassed to our load balancer using the gateways FQDM
> 
> 
> 
> This preserves the FQDN in the DMZ and masks the internal addresses of our load balancer and two Apache web servers.
> 
> 
> 
> We have Kerberos working on one server, when the LB is shut down. To do this we got our Windows techies to create a service principle for http://webserver1.com and a corresponding keytab.
> 
> 
> 
> This works fine if we access the server directly via its own URL, i.e http://webserver1.com, but how do we do this for two servers when the originating URL is that of the Apache gateway, i.e http://ourapacheserverinthedmz.com/us.
> 
> 
> 
> Do we create one keytab for http://ourapacheserverinthedmz.com/us and have this added to the SPN´s for both apache web servers? Or do we simply have one keytab created for http://ourapacheserverinthedmz.com/us and then have SPN for our load balancer.
> 
> 
> 
> http gateway
> 
>                 |
> 
> Load balancer
> 
>                 |
> 
> -----------------------
> 
>     |                      |
> 
> WS1              WS2 ---------------|
> 
> KDC
> 
>     |-------------------------------|
> 
> 
> 
> Cheers
> 
> Albert
> 
> ***********************************************************************************
> 
> ***********
> 
> IMPORTANT: This message is intended exclusively for information purposes. It cannot be considered as 
> 
> an 
> 
> official OHIM communication concerning procedures laid down in the Community Trade Mark Regulations 
> 
> and Designs Regulations. It is therefore not legally binding on the OHIM for the purpose of those 
> 
> procedures.
> 
> The information contained in this message and attachments is intended solely for the attention and use 
> 
> of the 
> 
> named addressee and may be confidential. If you are not the intended recipient, you are reminded that 
> 
> the 
> 
> information remains the property of the sender. You must not use, disclose, distribute, copy, print or 
> 
> rely on this 
> 
> e-mail. If you have received this message in error, please contact the sender immediately and 
> 
> irrevocably 
> 
> delete or destroy this message and any copies.
> 
> 
> 
> ***********************************************************************************
> 
> ***********

Hi Richard and thanks for your help.

Things have slightly changed insofar as we have a hack that keeps internal people internal.  So the proxy in the DMZ will not be used now for internal people.

So now what I have is an apache load balancer, with two apache web servers, both have Kerberos working alone.

Do I need to create keytabs for all three servers or just the two apache web servers?

Would this be correct

webserver1 Apache keytab: 
- HTTP/ourapacheloadbalancer.com at REALM 
- HTTP/webserver1.com at REALM 

webserver2 Apache keytab: 
- HTTP/ourapacheloadbalancer.com at REALM 
- HTTP/webserver2.com at REALM 

I will probably test it for now with just one webserver being servered by the load balancer
Many thanks for your help

Albert